Flaw in Android phones could let attackers eavesdrop on calls

Security researchers have discovered a flaw in smartphone chips made by Taiwanese semiconductor manufacturer MediaTek that could enable hackers to listen in on phone conversations.

The research, carried out by Check Point Research, has highlighted a bug in an audio processor made by MediaTek and used in 37% of the world’s smartphones, including Android devices made by Xiaomi, Oppo, Realme, and Vivo. The flaw is also said to affect some IoT devices.

A malicious instruction sent from one processor to another could potentially be used by an attacker to execute and hide malicious code inside the DSP firmware, the researchers warned in a blog post.

“Since the DSP firmware has access to the audio data flow, an attack on the DSP could potentially be used to eavesdrop on the user,” said researchers.

The chip contains a special AI processing unit (APU) and audio Digital signal processor (DSP) to improve media performance and reduce CPU usage. Both the APU and the audio DSP have custom Tensilica Xtensa microprocessor architecture. This made it a unique and challenging target for security research, according to Check Point Research.

To exploit the flaw, hackers would have to get a user to install a malicious app on their device. That app would then use MediaTek’s AudioManager API to connect to the audio driver. An application with system privileges then tells the audio driver to run code on the audio processor’s firmware. This then can hijack the audio stream.

Slava Makkaveev, a security researcher at Check Point Software, said that left unpatched, a hacker potentially could have exploited the vulnerabilities to listen in on conversations of Android users.

“Furthermore, the security flaws could have been misused by the device manufacturers themselves to create a massive eavesdrop campaign,” he said. “ Although we do not see any specific evidence of such misuse, we moved quickly to disclose our findings to MediaTek and Xiaomi.”

In a statement to press, Tiger Hsu, product security officer at MediaTek, said that device security is a critical component and priority of all MediaTek platforms.

“Regarding the Audio DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to all OEMs,” he added.

The discovered vulnerabilities in the DSP firmware (CVE-2021-0661, CVE-2021-0662, CVE-2021-0663) have already been fixed and published in the October 2021 MediaTek Security Bulletin. The security issue in the MediaTek audio HAL (CVE-2021-0673) was fixed in October and will be published in the December 2021 MediaTek Security Bulletin.